Overview

overview

7

Static

static

3

3a6fa72965...18.exe

windows7-x64

7

3a6fa72965...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    92s
  • max time network
    117s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/07/2024, 19:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a6fa72965a4658867506af0a9e4c997_JaffaCakes118.exe

  • Size

    277KB

  • MD5

    3a6fa72965a4658867506af0a9e4c997

  • SHA1

    50360410222e553121c2563425442ebc5dde28d3

  • SHA256

    5485f28ca73829b395863d65b0be53b32b3105d74cdbd2fd401d7a34bda8b879

  • SHA512

    219d0aa2a6fb21338455dbaacc146d275decf89b3777ca096968294d679a382a67e49401f05cf5d32f0bd21c85234d5fb45483a78899e2582391b0f446b7cfc0

  • SSDEEP

    6144:hSpt+OKXbTkZS3qSeF+ywwW18YO+Pa8nzbt1SgGm0q3:Et6oZRSQhBpCzbtcgz

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a6fa72965a4658867506af0a9e4c997_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3a6fa72965a4658867506af0a9e4c997_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4580
    • C:\Users\Admin\AppData\Local\Temp\QjP8B96.exe
      "C:\Users\Admin\AppData\Local\Temp\QjP8B96.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3548
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c start iexplore -embedding
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1512
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -embedding
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1732
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:17410 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1092
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\jFn8D4C.bat"
        3⤵
          PID:1888
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 512
          3⤵
          • Program crash
          PID:4052
      • C:\Users\Admin\AppData\Local\Temp\QjP8D2D.exe
        "C:\Users\Admin\AppData\Local\Temp\QjP8D2D.exe"
        2⤵
        • Executes dropped EXE
        PID:3808
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 296
          3⤵
          • Program crash
          PID:2152
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3808 -ip 3808
      1⤵
        PID:3168
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3548 -ip 3548
        1⤵
          PID:4872

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QOWVUGSW\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\QjP8B96.exe
          Filesize

          106KB

          MD5

          2a079e97603e5cbcf4a801a526cf7fa6

          SHA1

          3be9f592286a17187a271045f4292e3be524b6da

          SHA256

          e85d1a77c05b5f976c05ea57b61d5214aab386319fc201e9cb4ed9dda92e6fa8

          SHA512

          a68ca6ec585989fa5ecb70fcde767a29b188573017dd2ea470cb0c67173977bf13afe940e9360e94f2b456d14568f1f999ae71a86633eaf434c18517680ec9a2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\QjP8D2D.exe
          Filesize

          94KB

          MD5

          903917b02827d98443c196743be84664

          SHA1

          b135f55183488c9fa79f60195cbe7443c8c9d191

          SHA256

          d186e9ca8056a4b64e216c9e634b7a40a847aba61b46aa78fa3c201ab0e6c6cd

          SHA512

          a8638f534eb78cb531e0a4cedab7f9798b123c47659f222a67a6897a031ce5b6c4cce7f06d020c9cbf34093822d0a551778cd13a3602023bffcdc8e3e6fe83f4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\jFn8D4C.bat
          Filesize

          188B

          MD5

          4ea97e6a8d42e8cfc881d2678c84814f

          SHA1

          06f1bbfe05fe8d82d9df45af9e1a11d266030b65

          SHA256

          cc6c228bcbcab8be7876278fe0cbed51f0ab68eea6fc25a0826f6d9785fcb0d9

          SHA512

          ed87a3370e02b94c2c021cbbd073ca1a2464fbd1a134c6a26ace9c5e79f67507cbaa016681c5900cbacefde2e713600a13d97896015dc6cc71c5ba3b2a90ea17

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\jFn8D4C.tmp
          Filesize

          80KB

          MD5

          5a4bbd7777dce44a58697a4188cb02d6

          SHA1

          44c652e0ff9a3be599dfd56af1758e91994ba039

          SHA256

          559e6086af7081df06c50fb398766caab133179a55254ce0e907c0b0b2c2ab79

          SHA512

          bbc25531673d19ed3a7abde6757a0897b6fb03481b765455bac63b7faf04c7010a0621cf9ec1eb5a821e5bc008491815714e0a2abfa6d2b4d5a206eedd846c46

          Download Submit